On Friday 08 July 2005 16:11, Hans-Werner Hilse wrote: > Well, two possibilities. > 1.) the packets are already mirrored at your own box > 2.) the packets are mirrored at the target box > > I guess it's #2, you can find out by tcptracing the wire. > > If I were to reproduce this behaviour of the remote box I'd set up an > iptables rule with the "MIRROR" target. See "man iptables" for an > explanation.
I am aware of the MIRROR Target, and I agree that this would be the way to do this. > > This may be some scary tactics to irritate the support persons in > charge of managing the network - and has, according to you notes, > proven to work for that :-) Well it is certainly bugging me. > > My interpretion is: > hacked box, shell services running on UDP 161, mirroring everything > else to scare people :-) I think they've chosen SNMP port to hide their > traffic, maybe to get through some firewalls. > Umm, quite possible. How about they have set their SNMP broadcast to a too wide range, which includes the whole subnet? > -hwh Many thanks for your input, you have been helpful! -- Mike To see the world in a grain of sand, and to see heaven in a wild flower, hold infinity in the palm of your hands, and eternity in an hour. GnuGPG KeyID:=FC0D8D9A -- gentoo-user@gentoo.org mailing list